Implement mac_check_system_sysctl(), a MAC Framework entry point to

permit MAC policies to augment the security protections on sysctl()
operations.  This is not really a wonderful entry point, as we
only have access to the MIB of the target sysctl entry, rather than
the more useful entry name, but this is sufficient for policies
like Biba that wish to use their notions of privilege or integrity
to prevent inappropriate sysctl modification.  Affects MAC kernels
only.  Since SYSCTL_LOCK isn't in sysctl.h, just kern_sysctl.c,
we can't assert the SYSCTL subsystem lockin the MAC Framework.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 3 insertions, 0 deletions

diff --git a/sys/security/mac/mac_framework.h b/sys/security/mac/mac_framework.h
index e43139d..0e07753 100644
--- a/sys/security/mac/mac_framework.h
+++ b/sys/security/mac/mac_framework.h
@@ -299,6 +299,9 @@ int	mac_check_socket_send(struct ucred *cred, struct socket *so);
 int	mac_check_socket_visible(struct ucred *cred, struct socket *so);
 int	mac_check_system_reboot(struct ucred *cred, int howto);
 int	mac_check_system_swapon(struct ucred *cred, struct vnode *vp);
+int	mac_check_system_sysctl(struct ucred *cred, int *name,
+	    u_int namelen, void *old, size_t *oldlenp, int inkernel,
+	    void *new, size_t newlen);
 int	mac_check_vnode_access(struct ucred *cred, struct vnode *vp,
 	    int flags);
 int	mac_check_vnode_chdir(struct ucred *cred, struct vnode *dvp);